COMPLIANCE BRIEFING: BLOG

The European General Data Protection Regulation (GDPR), which will become effective on May 25, 2018, is set to shake up how businesses collect, store and use personal information.

Organisations of all sizes will need to comply with the new regulations, which will affect the collection, storage and usage of personal information regarding EU citizens.

But recent research suggests that as many as 20% of marketing agencies could go under if they incur a fine for breaching the rules.

So how do marketeers prepare, especially when agencies are expected to manage customer information on a client’s behalf? If they do not want to fall into the data trap, new lines of responsibility will need to be drawn up.

Organisations must not stick their heads in the sand regarding the new regulations, or believe that the rules do not apply to them without fully understanding them.Failure to comply with the GDPR will lead to heavier punishments than ever before.

Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR provides for a fine of up to €20 million or 4% of annual turnover (whichever is higher).

What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress. Not only can this significantly damage a brand, but potentially thousands of individual class actions could be launched.

So, let’s consider the objectives of the GDPR. They are to: 1) give citizens and residents back control of their personal data and 2) simplify the regulatory environment for international business by unifying the regulation within the EU.

An issue that could catch agencies out is that even though the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU.Digital minister Matt Hancock has also confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.

Under the terms of the GDPR, firms of over 250 employees must employ a Data Protection Officer (DPO). This person will be responsible for ensuring that a business collects and secures personal data responsibly.

However, the requirement to appoint a DPO will also apply to small agencies employing less than 250 staff, if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.

So already it’s easy to see that the GDPR is going to cause almost all marketeers cause for concern as they recognise the need to re-evaluate how they collect, store and use personal data.

But that’s only half the battle. The biggest challenge will be identifying where all the customer data resides, who ‘owns’ it and ensuring there are no forgotten repositories.

Before implementing any new processes regarding the treatment of data, and requests for data under GDPR legislation, you must find all relevant data. The advice from the UK’s ICO and other national authorities concur with this approach, naming “identifying what data you hold” as a key step.

Given how rapidly data is collected, created and stored by organisations, it would be impossible to find this out manually. What is correct at the beginning of this year could be wildly different in 6 months’ time. Moreover, attempting this manually will result in a catalogue of where people think data is held and processed (usually the systems designed to hold the data, like a CRM system) rather than where data is actually held (such as in a spreadsheet extracted from the CRM system to run a regular report).

This task of creating a data inventory does not need to be arduous. Using Big Data and Machine Learning principles as part of an eDiscovery and data mapping process offers the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for your business rather than just at a single point in time.

After identifying your data, you need to be able to classify it. Not only for corporate governance but also for the purposes of the GDPR which distinguishes between Personal Data and Sensitive Personal Data.

It’s crucial that classification is applied consistently, it shouldn’t be left to people to try to remember. Machine Learning and Big Data can ensure that nothing is left to chance and that every data point is classified as it should be.

After your data has been identified and classified you will have a robust platform upon which to implement your processes. This third step is where you can work with the data and apply time-saving processes such as de-duplication, request handling, access management and the automation of processes.

These are the first steps in what will be an on-going process. But I believe that these steps are crucial for any organisation that wants to get it right first time.

Understanding the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and, unfortunately, without the right tools I can see many organisations running into difficulty.

In a perfect world, all data would be stored securely and processes would be in place to ensure personal data is kept separately under a security framework.

But in my experience, that’s just not the reality. Across the organisations we have worked with there is an average of 10GB of unstructured data per employee, and 9% of that data contains personally identifiable information.

The tools that can help your organisation to become compliant are already available. They can help you implement new process and avoid the issues that have been discussed above. So act now and don’t be caught in the data trap when the GDPR comes into force next year.​By Adrian Barrett, CEO and founder of Exonar